Revision as of 19:52, 10 November 2006

Overview

Web applications face any number of threats; one of them is cross-site scripting and related injection attacks. 90% of all web applications contain cross-site scripting attacks because they are easy to introduce, and the proper tools are not always available to prevent them. There is no good single library that provides all the functions required by developers to incorporate a fix into there code that will stand up to the test of time and continual research in the field. The Reform library attempts to provide a solid set of functions for encoding output for the most common context targets in web applications (e.g. HTML, XML, JavaScript, etc). The library also takes a conservative view of what are allowable characters based on historical vulnerabilities, and current injection techniques.

Download

The latest code is now being maintained in a Google Code repository [1]

Features

Unicode support

Context specific functions (HTML, XML, JavaScript, etc)

Many supported languages

Java

.NET v1/v2

PHP

Python

Perl

JavaScript

Support for AJAX

Conservative approach

Solves all current XSS techniques

Future Development

Ruby support

Java framework support

LDAP encoding functions

Add documentation on resolving XPath issues

News

OWASP Encoding Project Adopts Reform - 10:01, 8 November 2006 (EST)

OWASP is adopting the Reform Encoding Library as an OWASP project. We are currently in the process of moving over the source, downloads, and documentation.

OWASP Encoding Project Created! - 10:01, 8 November 2006 (EST)

The Open Web Application Security Project is proud to announce the OWASP Encoding Project!

Feedback and Participation:

We hope you find the OWASP Encoding Project useful. Please contribute to the Project by volunteering for one of the tasks, sending your comments, questions, and suggestions to owasp@owasp.org. To join the OWASP Encoding Project mailing list or view the archives, please visit the subscription page.